CVE-2023-2067

Name of the Vulnerable Software and Affected Versions The Announcement & Notification Banner – Bulletin plugin for WordPress versions up to, and including, 3.7.0

Description The issue allows unauthenticated attackers to modify the plugin's settings, modify bulletins, create new bulletins, and more, via a forged request. This is possible because of a missing nonce validation on the bulletinwp update bulletin status, bulletinwp update bulletin, bulletinwp update settings, bulletinwp update status, bulletinwp export bulletins, and bulletinwp import bulletins functions. Attackers can exploit this by tricking a site's user into performing an action, such as clicking on a link.

Recommendations For versions up to, and including, 3.7.0, update to a version higher than 3.7.0 to resolve the issue. As a temporary workaround, consider restricting access to the bulletinwp update bulletin status, bulletinwp update bulletin, bulletinwp update settings, bulletinwp update status, bulletinwp export bulletins, and bulletinwp import bulletins functions until a patch is available.